Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-23997

FacturaScripts has Stored Cross-Site Scripting (XSS) in "Observations" field via History View
Back to all
CVE

CVE-2026-23997

FacturaScripts has Stored Cross-Site Scripting (XSS) in "Observations" field via History View

Summary

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Observations field. The flaw occurs in the History view, where historical data is rendered without proper HTML entity encoding. This allows an attacker to execute arbitrary JavaScript in the browser of  viewing the history by administrators.

Details

When an administrator views the History tab of that specific note, the script executes in their browser session.

PoC

  1. Log in as a regular user.
  2. Open "Sales"=>"Customers"=> "Delivery Notes"

<img width="818" height="223" alt="image" src="https://github.com/user-attachments/assets/82518644-2676-42db-93b1-86133986276c" />

  1.  Chose one of the customer or create the new one.
  2. Open "Delivery notes"

<img width="2078" height="713" alt="image" src="https://github.com/user-attachments/assets/f7e5027f-e574-4807-9e9c-bf8a51bc1fff" />

  1. Create a new Delivery Note or edit an existing one. Fill the "Number 2" field with any value and save.

<img width="2097" height="739" alt="image" src="https://github.com/user-attachments/assets/a3ca5ccb-3d9a-4cfc-a991-16206a1a862b" />

<img width="2097" height="858" alt="image" src="https://github.com/user-attachments/assets/9ca39755-4be6-4303-ab3c-b589cd222daf" />

  1. In the Observations field, enter the malicious JavaScript and save it again.

<img width="2097" height="870" alt="image" src="https://github.com/user-attachments/assets/f189c53b-8b73-44e8-bb18-bd46f37cef4f" />

<img width="1539" height="885" alt="image" src="https://github.com/user-attachments/assets/b2d20eb1-246e-4acc-b904-77bc85373873" />

  1. Now we have record in "History" tab.

<img width="2096" height="768" alt="image" src="https://github.com/user-attachments/assets/6b76d7d4-fc2c-4eb1-9137-4e4ba7287b9b" />

  1. Logout and login as admin. Next go to the "History" tab with malicious code:

<img width="1730" height="702" alt="image" src="https://github.com/user-attachments/assets/54f4af37-72f3-47a0-9669-2b1f6293f2b4" />

<img width="1749" height="670" alt="image" src="https://github.com/user-attachments/assets/f7689083-0128-473c-a4e2-1898e801df78" />

<img width="1479" height="587" alt="image" src="https://github.com/user-attachments/assets/4a6d6e4e-4645-4566-be92-9964c470456e" />

<img width="1541" height="505" alt="image" src="https://github.com/user-attachments/assets/484d9e5f-596a-4508-a9cb-752e16e6564f" />

<img width="2095" height="904" alt="image" src="https://github.com/user-attachments/assets/5462f11c-b274-40e6-af00-d10e7fc1e855" />

Result: Upon opening the history record, the onerror event triggers, executing the JavaScript and displaying an alert box with the application's origin.

Impact

Change admin password via XSS:

<img width="2094" height="1260" alt="image" src="https://github.com/user-attachments/assets/7598f986-0618-46e1-9dc7-64655975b19e" />

<img width="1584" height="1137" alt="image" src="https://github.com/user-attachments/assets/3e2302bc-01a3-4c47-ba9a-e69413e932b3" />

<img width="2084" height="373" alt="image" src="https://github.com/user-attachments/assets/21523278-5bcc-4743-8557-4b6563a127d0" />

<img width="1665" height="787" alt="image" src="https://github.com/user-attachments/assets/eca4d5b7-5dec-410f-9c59-99084821e350" />

Admin password was changed

<img width="1488" height="598" alt="image" src="https://github.com/user-attachments/assets/53d3f4c1-accd-4136-8235-0fe5b287bbfe" />

This vulnerability results in a Critical Full Account Takeover, allowing any user with note-editing permissions to seize control of the admin account. It successfully bypasses CSRF protections and exploits the lack of "current password" verification during credential changes. Once compromised, the attacker gains total access to the system's management, sensitive financial data, and user configurations.

Technical requirements & Complexity

The attack requires prior technical knowledge of the internal API structure (field names and required values), which can be obtained by a legitimate user through browser developer tools. While it requires the target's code (e.g., admin), this is a common default value in most installations.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
8
-
3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
C
H
U
-

Related Resources

No items found.

References

https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-4v7v-7v7r-3r5h, https://nvd.nist.gov/vuln/detail/CVE-2026-23997, https://github.com/NeoRazorX/facturascripts

Severity

8

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
8
EPSS Probability
0.00017%
EPSS Percentile
0.03722%
Introduced Version
0
Fix Available

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading